Caveat 3.7.24
Ep 208 | 3.7.24

A breakdown of the latest on the Maritime Executive Order.


Blake Benson: Go back to, like, defending the ocean is probably not an effective strategy. And part of that is this kind of method of prioritization where there needs to be some real risk work done to identify what that is from a top down, you know, port-to-port comparison analysis to determine what systems and components are most important to those operations that would cause, you know, significant economic impacts and detrimental effects to what is quite honestly our kind of economic highway.

Dave Bittner: Hello, everyone, and welcome to Caveat, N2K CyberWire's Privacy Surveillance Law and Policy Podcast. I'm Dave Bittner, and joining me is my cohost, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hey there, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: On today's show, Ben discusses an EU court decision on encryption. I've got the story of the FBI using mobile device push notifications to track down bad guys. And later in the show my conversation with Liz Martin from Dragos and Blake Benson from ABS Group. We're discussing the latest Executive Order from the Biden administration covering maritime security. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben. We've got some good things to cover here today. Let me just say at the outset here that I'm coming off of a pretty bad chest cold here. So I'm not quite myself.

Ben Yelin: Does that mean I'm going to have to carry this episode?

Dave Bittner: Well, more than usual.

Ben Yelin: Put some pressure on me.

Dave Bittner: More than usual. You always carry the episodes, Ben. But, today --

Ben Yelin: As they say in the football world, next man up, you know.

Dave Bittner: There you go.

Ben Yelin: I'll just -- I'll just have to step up my game a little bit.

Dave Bittner: There we go. There we go. And, to that end, I'm going to ask you to kick things off here with your story.

Ben Yelin: Sure. So my story comes from the Washington Post technology page by Joseph Menn, and it's about a case coming from the European Court of Human Rights, which I basically learned existed when I read this story. So this is a case dealing with the complicated topic of encryption. And there was a case filed in this court by users of the application Telegram. The case was actually a cause of action against Russia. And they alleged that Russia was requiring internet communications organizers to keep all messages sent by users for six months, along with a means to decrypt them. The Russia aspect of this is really interesting. So 46 countries signed the European Convention on Human Rights, which is the way that this court has jurisdiction is the fact that all these countries signed this convention.

Dave Bittner: Okay.

Ben Yelin: Russia was one of the signatories. Now --

Dave Bittner: Really?

Ben Yelin: Yeah.

Dave Bittner: Okay. That was -- there's a plot twist.

Ben Yelin: Yeah. It's funny. If they don't obviously plan to abide by it, by this decision because that's just not what they do, also note that the UK was one of the signatories. And they have a notoriously fickle relationship with the European Union so.

Dave Bittner: And encryption.

Ben Yelin: And encryption. Absolutely.

Dave Bittner: Yeah.

Ben Yelin: It's a major part of the story.

Dave Bittner: Okay.

Ben Yelin: So this is an EU case. But, like, I think we should put the EU in quotation marks given some of the parties that this affects. So, basically, what this court held is that encryption is a fundamental -- is fundamental to the basic right to privacy. And there should be a very high bar for governments and countries to do anything to break that link, to cut against this idea that we should be able to have end-to-end encryption to protect the privacy of our communications. This is really a moral decision. I mean, it's the Convention on Human Rights. So it's not like a technical legal matter. It's setting out for all of the signatories of this country that it is a fundamental value for human rights to allow people to have secure encrypted communications. And I think there are a couple of reasons why this decision is significant. It doesn't have any legal impact in the United States. But I think it can have a practical impact. There has been a concerted effort both in state legislatures and among members of Congress to create back doors to prevent encryption from stopping our efforts to combat certain types of crimes, certainly things like CSAM. And there have been efforts in, as you mentioned, the United Kingdom to pass similar types of laws that would prevent companies from operating end-to-end encryption within the country providing the government access to these private communications. And I think the gist of this decision is it's going to make all countries, whether they're signatories to this convention or not, much more cautious about trying to pursue policies to break encryption, just because this is such an important expression of values on the part of this court. And I think that could have major downstream effects going forward.

Dave Bittner: Do you? I mean, I -- this strikes me as being an aspirational expression because there is no enforcement here. Right?

Ben Yelin: At least in the United States. Yes.

Dave Bittner: Well, and presumably in Russia.

Ben Yelin: And Russia, yeah. Russia is not going to comply with this.

Dave Bittner: And, of course, China, who's not a signatory. But I guess what I'm saying is something like this is -- is done to try to establish an international norm, right.

Ben Yelin: That's what I think it is attempting to do. Now, there will be various forces who will try to cut against that international norm, and for very good reasons, CSAM being one of them. And also our ability to solve not just garden-variety criminal activity but to do counterterrorism work. Or even to fight off cyberattacks from foreign entities, we have an interest in being able to have access to some of these communications. But I think from the company's perspective it'll add to kind of a body of evidence that privacy is a fundamental value in the technological world. So there's this quote from a high commissioner on this particular court, Volker Turk. He said he welcomed the ruling, which he promoted during a recent visit to tech companies in Silicon Valley, saying encryption is a key enabler of privacy and security online. It's essential for safeguarding rights, including the rights to freedom of opinion, expression, freedom of association, and peaceful assembly, security, health and nondiscrimination. I just think it's going to be a little harder now that those are explicitly stated values in a at least somewhat seriously respected entity here in this court. I think it's going to carry at least some persuasive weight. I could be wrong, and tomorrow we could decide as a country, Screw it. Let's create some back doors. But I do think that this is going to have some carryover impact.

Dave Bittner: Well, let me ask you this: So, in the pre-digital age, where did the world stand, the communities of the world, the nations of the world stand in terms of general privacy being a fundamental human right?

Ben Yelin: So it's not explicit. Privacy is not an explicit right in the United States Constitution.

Dave Bittner: Yeah.

Ben Yelin: It has been imputed to various provisions of the Constitution, kind of a penumbra was the word they used of other constitutional rights, which indicate a generalized right to privacy. That was one of the original justifications behind Roe v. Wade, which, of course, has been overturned. But the court has not gone so far, even the recent conservative court, in explicitly saying there's not a right to privacy. I think there is still a recognized right to privacy. I think to reduce this to privacy rights isn't giving enough credit to opponents of governments that are trying to cut against encryption. I think there are values beyond just privacy, and the quote I just read I think gets at some of them: associational rights, the ability to freely communicate without the fear that your communications are going to be caught up in a government dragnet I think goes beyond privacy. It goes to some of our explicit constitutional rights. I don't really know that much about the constitutional provisions in various European countries.

Dave Bittner: Yeah.

Ben Yelin: You know, for example, the UK doesn't really have a Constitution. It's governed by common law and political custom. Russia's constitution probably says a lot of things.

Dave Bittner: Right.

Ben Yelin: But I don't know how many of those things that actually follow in practice like, you know, we'll -- we'll have free and fair elections, for example.

Dave Bittner: Sure.

Ben Yelin: Unless you think Putin really earned, you know, 99.7% of the vote or whatever.

Dave Bittner: Could happen.

Ben Yelin: Yeah.

Dave Bittner: Yeah. I mean, I guess it's interesting. And your point is a good one, that it's not fair to apply -- or perhaps not accurate to apply pre-digital standards to a digital world when so much of what we do and we rely on for our communications, you know, what used to be a clandestine meeting in an underground parking garage, you know, to share secret information would now take place in an encrypted end-to-end encrypted app.

Ben Yelin: Yeah. I mean, it's -- it is very hard to analogize to the pre-digital world. But think of something like we had letters that could be secured with a physical lock. And people could send those letters back and forth. We would only share the lock combination with the person that we were sending the letter to.

Dave Bittner: Right.

Ben Yelin: And what if the government came in and said, there should be some universal unlock code that's available to us just in case.

Dave Bittner: But isn't that what a warrant would do in the physical case? Isn't that the -- isn't that the ascent -- the effective back door?

Ben Yelin: It is. And there isn't a lock. I mean, most mail throughout history wasn't secured --

Dave Bittner: Yeah.

Ben Yelin: -- with a physical lock. But I still think we would find that offensive because the Fourth Amendment protects situations where somebody exhibits a subjective expectation of privacy. And that expectation is one society is willing to recognize as reasonable. So if you've taken steps to secure your own communications, then you have exhibited that subjective expectation of privacy. And I think all of us would agree that protecting our private communications is a reasonable aspiration. So, yes, a warrant would apply. But, you know, there are a lot of situations where we have things like quasi-warrants or subpoenas where -- or exigent circumstances where the government might still have access to these communications, even in the absence of a warrant, not to mention once you create these back doors they could fall into -- the keys to the -- to those back doors could fall into the hands of malign actors.

Dave Bittner: Right.

Ben Yelin: So it always creates that risk. And all of those I think are thematically persuasive of this EU court opinion.

Dave Bittner: All right. Well, where do you suppose it goes from here? I mean, is this -- is this put out into the world? And, as you say, the hope here is that it is influential. How do you suppose we'll be able to measure success?

Ben Yelin: So, you know, the -- our intelligence apparatus has talked about the challenges of end-to-end encryption. One of the quotes in this article comes from our FBI director, Christopher Ray. He told an audience of college students last year that terrorists, hackers, child predators, and more are taking advantage of end-to-end encryptions to conceal their communications and illegal activities from us. So you're going to have that pressure applied by our intelligence agencies and law enforcement. And I think this decision gives our policymakers kind of a framework to reject those entreaties to say, We understand the importance of catching criminals. We also think terrorists, hackers, child predators, etc. are bad people, and we'd like to stop them from committing crimes. But we can now reference this Convention on Human Rights, which says, even despite the advantages of being able to access these communications, there are fundamental values at play here. And I think whether that's 100% persuasive to policymakers, I'm unsure about that. But I think it certainly helps.

Dave Bittner: All right. Well, we'll have a link to that story in the show notes. My story this week also comes from the Washington Post. And this is about push alerts and the FBI using push alerts to track criminal suspects. Ben, how many push alerts would you say you get on your phone per day? I'm asking you this knowing that you are a sports fan, and so I suspect that that's -- I'm guessing here that, of my -- of my friends and colleagues, I'm guessing that sports are something that you will keep up to date on.

Ben Yelin: Yeah. I would guess with push alerts I probably get -- it's going to go into the three digits per day.

Dave Bittner: Really.

Ben Yelin: It's possible, at least. Now, I don't do a great job of turning off push alerts for applications that I never use.

Dave Bittner: Okay.

Ben Yelin: So I'll find out, you know, every time Jimmy Johns wants to offer me a free cookie with my sandwich --

Dave Bittner: Okay. Gotcha.

Ben Yelin: -- I'll find out. Or if there's been an update to, you know, the LIV golf whatever, ESPN is going to notify me so --

Dave Bittner: Right.

Ben Yelin: -- I could do a better job of protecting myself, but I get a lot of push alerts.

Dave Bittner: Okay. Well, this story centers on push alerts. And it has to do with the FBI going after a suspected pedophile because this is where these stories always seem to center.

Ben Yelin: Right. Those are the edge cases. That's how it works.

Dave Bittner: A suspected pedophile who went by the username LuvEmYoung -- don't know how they -- how they caught on to the fact that perhaps this person --

Ben Yelin: Could you have picked a less -- I mean, it's just like the -- literally the worst username you could possibly pick in these circumstances.

Dave Bittner: Yeah, yeah. So this person was -- was suspected of doing, you know, all of the horrific and terrible things that -- that pedophiles do. And he was also using an end-to-end encrypted app called TeleGuard, which, like many of those apps, provides anonymity and makes it so that it's impossible for other folks, law enforcement, even the providers of the app to read your messages because they are encrypted end-to-end. Only the sender and receiver can read the messages. It turns out that these apps also have their hooks into your mobile device's operating system to enable push notifications. So let's say, for example, Ben, you're using TeleGuard.

Ben Yelin: And I don't, but we'll stipulate that. Go ahead.

Dave Bittner: It could be TeleGuard. Could be Signal. Could be, you know, any of the secure apps. So I send you a message. And TeleGuard creates a token, which it sends to either Apple or Google, in this case, the -- you know, the providers of your operating system for your mobile device and says to them, Hey. We've got a push notification here. Here's the token for this push notification. Please alert this user that this push notification has happened. So what we have here is a piece of metadata, right? It is a notification that is not part of the end-to-end encryption that this communication occurred. So what the FBI has been doing is it has been going to providers like Google, providers like Apple and demanding that they provide this metadata on these push notifications. And then they can cross reference that information with other information in their investigations, things like IP addresses, email addresses, those sorts of things. And they've been quite successful in using these push tokens to narrow down who a suspected criminal could be.

Ben Yelin: Yeah. So we have over 130 search warrants, this article says, and court orders related to push alert data in various criminal cases across the US. So it's been used rather extensively.

Dave Bittner: Yeah. Now, an interesting wrinkle here is that part of what the FBI and I believe the Department of Justice, as well, were doing here was they were insisting that Apple and Google not reveal that they were sharing this information. They were -- they put a gag order on them. And then I believe it was Senator Wyden who blew the whistle.

Ben Yelin: Who else, right? Yeah.

Dave Bittner: Well, he is the usual suspect who blew the whistle on this, raising questions about it. After his announcement of it, Apple then said, Well, now that it's public, we will share information about this. Believe Apple also upped their stringency of saying that they -- they weren't just going to turn it over with a subpoena, that they actually would --

Ben Yelin: Has to have a warrant. Yeah.

Dave Bittner: -- require a warrant. Yeah. So, on the one hand, this is interesting. And you can certainly see the value for law enforcement to be able to use this kind of metadata to get people doing bad things. And I think on its face, well, we think, well, that's probably a good thing. But, of course, the concerns here and folks like the EFF and other folks who are concerned with online privacy worry that this very thing could be used, for example, if someone were crossing the state lines in order to get an abortion --

Ben Yelin: Absolutely.

Dave Bittner: -- something like that.

Ben Yelin: Yeah. I mean, that's the real risk here. I think push tokens are valuable law enforcement tools if they are being pursued against criminal activity that you think should be pursued. I mean, all of us are subject to our own biases, right.

Dave Bittner: Right.

Ben Yelin: I think what concerns many privacy advocates is we have these state abortion bans. If somebody's using, like, a period tracking application, for example, or even something as seemingly innocuous as Google Maps, and the state government via obtaining a court warrant accesses these push tokens, they can use that to prosecute people for seeking abortions out of state. They could be criminally prosecuted and convicted. And so that really presents an unacceptable concern for both digital privacy advocates and also abortion activists. And it's not just abortion. I mean, you can see this being used and abused in other circumstances. So, you know, let's say everybody who is going to a major political protest is communicating over WhatsApp or Signal or some other encrypted application, right? If those push tokens become available and the government is able to obtain either via subpoena with Google or perhaps a warrant with Apple access to that information, that could have major effects on people's associational and free speech rights because people might be dissuaded. It might be a chilling effect on pursuing such activities if you know that these push alerts might be your ticket to prosecution. Now, what -- I guess the question I have is could an individual solve this problem by disabling push alerts?

Dave Bittner: Ah. Excellent question. And I wondered the same thing. So I reached out.

Ben Yelin: Good for you. Look at you.

Dave Bittner: I actually did some research, Ben.

Ben Yelin: Yeah. Some actual work? Wow.

Dave Bittner: Well, you know. Yeah. So I reached out to some folks who know about these sorts of things, and I cannot say with absolute confidence that this is the answer. But the general feedback that I got was that, if you disable push notifications on your phone, basically, all that does is mute the notification. So the push is still generated from Apple or Google.

Ben Yelin: The token is still created.

Dave Bittner: The token is created. You just ignore it.

Ben Yelin: I see.

Dave Bittner: So it seems to me that, if you were a provider of one of these services, let's say you were TeleGuard or Signal or any of the end-to-end encryption apps, if you included an option within the app to never send a push notification, right, so that the only way that you would get your messages would be to go in and check for them manually --

Ben Yelin: Right.

Dave Bittner: -- then it seems to me that would circumvent this sort of thing. Now, before we started recording here, I went poking around within Signal to see if that sort of functionality was in there. I couldn't find it. Doesn't mean it's not there. But, you know, a quick looking through the settings I didn't see anything that seemed to be that sort of thing so.

Ben Yelin: I wonder if that's going to change now if, because of articles like this, the companies become more conscious about creating these tokens --

Dave Bittner: Right.

Ben Yelin: -- and give people the option, whatever the opt out is that would prevent these tokens from being created.

Dave Bittner: Yeah.

Ben Yelin: Again, they would make the apps much less useful. I mean, if you never got a notification on your phone that you're receiving a message and you were just literally checking your message application every five seconds, that would be very inconvenient.

Dave Bittner: Right.

Ben Yelin: We all keep our phones in our pockets. And when we get messages that we want to receive, it provides us a notification. So you can't kind of have your cake and eat it too. I think the easy solution, if you only cared about privacy, would be to figure out a way to disable these notifications. But, for most people, that's just not going to be very practical.

Dave Bittner: Yeah. I wonder, too, if Apple and Google could find some way to obfuscate this information themselves. And I don't know enough about the technology to, you know, propose a solution here. But in the same way that they have added encryption or, you know, those kinds of things to various elements of what they do to try to keep people from gathering information on you, is there some way that they could scramble this information or, you know, fuzz it or those sorts of things to make it not so straightforward to gather this metadata and still maintain the functionality that people want? I don't know.

Ben Yelin: Yeah. I don't know, either. I will say that they are responsive to public outcries about this type of thing. They mention in this article the whole hash value experience where Apple began seeking access to people's devices to see if there was a hash value for CSAM images.

Dave Bittner: Oh, right.

Ben Yelin: And they reverse themselves after a huge backlash.

Dave Bittner: Yeah.

Ben Yelin: So I think they're very conscious about being seen as not being totally 100% protective of people's privacy. So I think, you know, any internal policy from more so Apple than Google will be geared towards ameliorating these effects.

Dave Bittner: Yeah. I would suspect that Apple would probably lead the way. That seems to be certainly more of their marketing message, if nothing else.

Ben Yelin: Yeah. That's what Apple does. I mean, they've led the way on this for going on decades now. So I wouldn't be surprised if, when you see a Ron Wyden letter being released into the ether, I'm sure Apple is the first one that -- where they convene a meeting and their Silicon Valley officers saying, What can we do about this? Yeah.

Dave Bittner: Right. They throw up the bat signal that's the Apple logo for the attorneys, one infinite loop.

Ben Yelin: Exactly, exactly.

Dave Bittner: So listen. And for our listeners out there, if you have some expertise in this and if there's some nuance here that we're missing or something you'd like to contribute to this conversation, we would love to hear from you. You can email us. It's

Ben Yelin: Yeah. Call us out. I legitimately enjoy it, especially on, you know, speaking for myself, I got a lot of the technological aspects wrong. So I -- always useful when people hold us accountable.

Dave Bittner: We can take it.

Ben Yelin: We can take it. We have thick skin.

Dave Bittner: All right. Ben, in addition to hosting this podcast, there are a few other shows that I host. And one of them is called Control Loop. And that is a security show all about industrial control systems and all that critical infrastructure stuff that we rely on as civilization. And I had an interview over on that show with Liz Martin, who is from Dragos, and Blake Benson from ABS Group. We're talking about the latest Executive Order from the Biden administration which is covering maritime security. Here's part of that interview with Liz Martin and Blake Benson.

Blake Benson: The big thing about the new Executive Order, it was kind of bucketed into a couple items in the release. One thing upfront is that it allows DHS and primarily through the Coast Guard to directly address maritime cyberthreats. And they say that that's through cybersecurity standards for America's ports and networks and systems to make them more secure. But the Coast Guard has been -- has had the cleanest tie to authority because of the Maritime Transportation Security Act and some other congressional authorities that are unique to the Coast Guard. So they -- they have always had responsibility over these areas, but it did not -- it was not specific to cyber. So they've expanded these. Largely part of the EOs and the Notice of Proposed Rulemaking was for the Coast Guard to expand that guidance to cover cyber or that authority to cover cyber, rather.

Dave Bittner: Well, so given that it's the Coast Guard who's going to be heading this up, to what degree do we feel as though they are prepared to take on this mandate?

Blake Benson: Yeah. It's interesting. It's an interesting question. I work with the Coast Guard often. I'm a former cyber operator myself and a uniform component. And so certainly have a good understanding and intimacy with kind of the cyber operations that the Coast Guard is currently conducting. And they punch well above their weight class. But, you know, think authority without capacity is a real thing. It's difficult to do that. And the Coast Guard has been, you know, relatively underfunded. There are cyber resources, although lots of effort has been placed on increasing those. It's difficult for any component to recruit and get people engaged in the time that we live in right now. And so I think they struggle with the same things that Navy and Air Force and everyone else are struggling with to get cyber talent. But there -- they are a very competent and very lean force, but they need to be better. I think it would be great if the Coast Guard was better funded and better resourced to -- to get more capacity there.

Dave Bittner: Liz, what do you suppose the impact is going to be here of this Executive Order

Liz Martin: I think it's going to force the Coast Guard to have to look holistically across their organization to understand from a people, processes, and technology standpoint and a solutioning standpoint what types of outcomes they're looking to achieve to get to a place where they're achieving some of the things that have been outlined in the Executive Order and some of the things that have been covered in the Congressional hearings as of yesterday on overall port security. And, as Blake mentioned, they are a small but mighty team, truly looking to punch above their weight class, as he said. And they have the, I think, the capacity and capability to do so with more sort of appropriations and funding needing to be dedicated to the problem set that they're ultimately looking to tackle there.

Dave Bittner: What is the general understanding of where we stand when it comes to the security of our ports?

Liz Martin: There's a couple of factors there. And, Blake, feel free to chime in after I go forth here. But one of the biggest things that we're at least seeing from a threat perspective is really the overall supply chain risks there. Obviously, the sort of emphasis has been on the cranes at ports and those components within those cranes that are coming from places like China. So given the sort of supply chain risks there, there's been a lot of emphasis placed on that. But the sort of larger bigger picture that I think a lot of people don't quite look at here is these ports are made up of many different sorts of critical infrastructure components. So things that we're used to seeing in electric, things that we're used to seeing in transportation and logistics environments, as well as things that we are used to seeing in oil and gas environments. So there are a lot of common devices and protocols that span across those ports, which really increases the sort of threat surface and target for any potential threat group or adversary to want to be able to go after.

Dave Bittner: Blake.

Blake Benson: Yeah, absolutely. To add to that, I think the approach -- I mean, this EO, and not to punch down on my own people, given that I do -- I do support the government and some strategic decision-makers and the, you know, kind of risk policies and strategies that -- that make up some of these but -- and not to punch down on cyber people because I'm one of those. But, in general, I don't think many people from traditional cyber backgrounds understand how to communicate risk effectively. And, because of that, if you asked anyone in the US government, not just in the Coast Guard or otherwise, what we should prioritize from a cybersecurity perspective in these port environments, you would get a lot of blank stares and faces. And that's not unique to this. It's -- it's made more impactful because of the depth and breadth of the stakeholders at these ports. To Liz's point, like, the variety of stakeholders that exist in any given port and the differences between them as is just really vast and disparate. And so a national top-down policy to address this ocean is -- is going to be very difficult to implement.

Dave Bittner: Does the Executive Order provide any clarity on setting those priorities?

Blake Benson: They do, although potentially misguided based on prevalence. If you were to ask industry, I think that's what they would say because the vulnerability, a threaten and a vulnerability in this space does not automatically equal a consequence. And that should be made clear. And I think that's what industry is going to push back on the most. You talk about cyber, you know, a large portion of the notice of proposed rulemaking and the press release and even act -- to Liz's point, the Congressional committee hearing that was yesterday or two days ago, whichever, whichever day that was. But the biggest thing with that is they don't understand -- like, to be able to report a cyber incident, you're assuming that these owners and operators have the maturity to be able to actively identify a threat or a vulnerability that is currently existing in their platform or operation. And the reality is that they don't. So, yeah. Some of the some of the areas of emphasis are, in my opinion, probably misplaced. And I think that kind of assumption of the level of maturity of some of the stakeholders and their OT cybersecurity programs is a little bit misguided.

Dave Bittner: You know, when we talk about critical infrastructure, one of the things that I've learned is that there's a tremendous amount of diversity generally. You know, there's -- a lot of this stuff are one-offs. And I'm curious, does that -- to what degree does that apply to the maritime space, too, or to, you know, how much does one port look like another and function like another? And how much variety is there where they're really different from one another?

Blake Benson: Yeah. A hundred percent. You're right on -- right on point there. And so, like, to break it down from the start, it's like -- one of the questions you should ask is, like, what is that analysis of our nation's most critical functions in these port facilities? How do we know what cyber dependencies exist? And how do we know how to hunt those threats that impact the vulnerabilities within our most critical kind of cyber-enabled functions or dependencies that drive those critical port operations? Do we have intelligence requirements that are driving collection activities in these environments to help inform that threat? And, more importantly, are our uniform Coast Guard operators able to perform, you know, hunt activities in the networks on these pre-identified threats at scale? I go back to, like, defending the ocean is probably not an effective strategy. And part of that is this kind of method of prioritization where there needs to be some real risk work done to identify what that is from a top-down, you know, port-to-port comparison analysis to determine what systems and components are most important to those operations that would cause, you know, significant economic impacts and detrimental effects to what is quite honestly our kind of economic highway, right?

Dave Bittner: Yeah. Liz, as you look at this, in your mind, what would be a potential pathway for success here? Are there -- is there a framework that you think would be most effective?

Liz Martin: Yeah, absolutely. And great question. I definitely think it's a large problem set to try and tackle and put a framework around, but I definitely think there's a path forward there to look at this as, you know, foundationally, what are they trying to defend here at these ports, and what are they trying to defend against? And it's sort of what Blake just mentioned here is the notion of, we have an idea of what these threats are. But do we actually know what devices are we trying to protect against those threats. And, again, hitting back towards that key component of visibility, which I'll just continue to harp on because it's a critical component to this overall equation and figuring out what a framework could look overlaid on top of this problem set. I'll also add -- and, Blake, feel free to add to this as well -- you know, some of the key things that have been missing traditionally across the maritime space is being able to not just look at it from a physical security standpoint, which has been very, like, the traditional way of looking at things but also factoring in those cybersecurity components. We've had frequent conversations, Blake and I, about, you know, MSRAM and being able to understand the risks to these various ports and to maritime transportation systems. And that's something his team's worked specifically on to try to break down what those cybersecurity components are factored into that overall risk equation and threat equation, not just the physical security aspects.

Dave Bittner: You know, Blake, a lot of the reporting that I've seen has focused on these cranes as kind of a -- an example, you know, these Chinese-sourced cranes. But it's my understanding that this will affect the vessels themselves.

Blake Benson: Yeah. So a lot of the guidance in the Coast Guard -- in the Coast Guard presser especially talked quite a bit about kind of the ability to inspect vessels, to levy authorities, to, you know, try and bring vessel cybersecurity maturity up. There have been other -- this is not new. I mean, the Coast Guard has been trying to do this. They had a work instruction that was specific to commercial vessel inspections to look at cyber plans, that that rag was built off of the International Maritime organization's 2021 guidance based on essentially including cybersecurity measures and their vessel safety management system or safety management plan and the vessel security plan. So, you know, there are precedents for the government or various, you know, industry working groups or, you know, the International Association of Classification Society saying that you need additional cybersecurity measures when you're building a new ship, and those guidelines come out later this year. So there's -- there's lots of stuff out there for vessels. But we scan -- I mean my company and our group, my team. We scan lots of ships. We do a lot of cybersecurity assessment work on ships. And, you know, you really need to take into account what's important, what's critical on these ships. And although they -- you know, they may have someone on board that understands cybersecurity, largely, you know, these systems need to have some sort of risk assessment done to determine, okay. What constitutes a bad day for me? What vulnerabilities, if exploited, could actually cause some sort of poor operational outcome, failure of the mission, whatever that might be that could be a harmful, you know, consequence or safety operation. And I didn't see anything about that in the -- in the notice other than, hey. We're going to require these ships to have additional cybersecurity requirements. But going back to authority without capacity, you know, who's going to inspect that? Who's going to verify that? Who's going to hold the vessel owners accountable? It's another -- another gap in a capability there.

Dave Bittner: Bed, what do you think? It's interesting stuff, huh?

Ben Yelin: It is. Yeah. It's the most intriguing crossover since the Avengers franchise. But yes.

Dave Bittner: It's like the time the Dallas Cowboys were on the Love Boat.

Ben Yelin: Exactly. It's so out of context. But I'm glad they came on. I have to admit I knew very little about maritime security, so it was a very interesting conversation.

Dave Bittner: It's interesting to me, I think, how much -- how much commerce happens over the seas via the oceans that most of us don't think about because of how little -- in my mind how little travel we all do on the oceans.

Ben Yelin: Right.

Dave Bittner: We're on the highway, we see trucks. We see trains from time to time. We see airplanes overhead. And so, in my mind, I think about those are the ways lots of things get transported, and it is. But so much stuff gets sent through our ports.

Ben Yelin: My advantage here is having grown up in San Francisco.

Dave Bittner: Ah.

Ben Yelin: I would see giant ships coming under the Golden Gate.

Dave Bittner: Yeah.

Ben Yelin: And I would ask my parents, you know, What -- what is that giant ship? And it's, Oh, they're shipping things from China.

Dave Bittner: Right.

Ben Yelin: And so that's my association with it. So I think I intellectually realized it. But, yeah. I mean, it is striking. And it's just something that we don't really talk about, given how much of our commerce is affected by maritime trade.

Dave Bittner: Yeah. Well, our thanks to Liz Martin from Dragos and Blake Benson from ABS Group for joining us. And if you are interested in this sort of thing, do check -- if you're interested in this sort of thing, do check out the Control Loop podcast. You can find that on our CyberWire website and wherever you get your podcasts. We do appreciate Liz and Blake taking the time. That is our show. We want to thank all of you for listening. A quick reminder that N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at Our executive producer is Jennifer Eiben. This show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening.